<?PHP

// START FUNCTIONS

//This function will help protect your database from SQL injection, which happens when a person 
//	intentionally inputs characters into your script that will allow them unauthorized access 
//	to your database. The below method is minimal protection and you should study more ways to 
//  enhance security.

function escape($str)
{
	$search=array("\\","\0","\n","\r","\x1a","'",'"' , "%" , "`");
	$replace=array("\\\\","\\0","\\n","\\r","\Z","\'",'\"' , " " , " ");
	return str_replace($search,$replace,$str);
}


//This function will be used to ensure that the input for the score is a number and nothing else.

function ValidateNum($IN)
{
	$pass = 0;
	if( "" != trim($IN) )
	{
		if ( preg_match("/^([0-9])*$/" , $IN)  )
			{
				$pass = 1;
			}
	}

	return $pass;
}

//We'll use this function to validate the player's name. This makes use of escape() from above.
function ValidateName($IN , $maxLength)
{
	$pass = 0;
	
	$trimmedIN = trim($IN);
	if ("" != $trimmedIN)
	{
		//check to ensure the length is proper
		if (strlen($trimmedIN) >= 1 AND strlen($trimmedIN) <= $maxLength )
		{
			//check to make sure there aren't illegal characters
			if($trimmedIN == escape($trimmedIN))
			{
				$pass = 1;
			}
		}
	}

	return $pass;
}

// END FUNCTIONS


//Now we'll validate the input sent from the app.
//	AGK uses the POST method for sending data. 
//	This can be converted to GET if you need to do so (DBPro).
//  You may also want to change these to $_GET for easy testing via URL.
//  For example, if they are set to $_GET you can simply input 
//	www.YourDomain.com/scores.php?score=100&name=Me
//  to test the script.

$score = $_POST['score'];
$scorePass = ValidateNum($score);

$name = $_POST['name'];
$namePass = ValidateName($name , 12);

//If one of the inputs don't pass then shut down the script immediately.

if($scorePass != 1 OR $namePass !=1)
{
	Die('0'); 
	//This will send 0 back to the app. You may want to send back a more useful number.
}


//Now that we've passed validation we can connect to the database.
$dbip = 'localhost';
$dbu = 'db_user';
$dbp = 'db_password';
$dbn = 'high_scores';
$con=@mysqli_connect($dbip , $dbu , $dbp , $dbn); 
//The @ symbol can be used in front of MySQL commands so that they don't output warnings
//  or other error methods. While testing you'll want to use command without the @ symbol.

if(@mysqli_connect_errno())
{
	Die('0'); //output 0 or some other code so that your app knows data was NOT sent.
}
else
{
	//Now that we're connected to the database we can check to see if the input score is a high score.
	//  For this demonstration we'll see if the score is within the top 10.
	
	$qry = 'SELECT MAX(SCORE) as max_score , MIN(SCORE) as min_score
			FROM 
				(
				SELECT SCORE 
					FROM my_game
					ORDER BY SCORE DESC
					LIMIT 10
				) g';
	//This will search the database by selecting the Maximum and Minimum scores from the first
	//  10 rows of the database when ordered DESCending.
	
	
	//Now we'll execute the query and make sure it doesn't fail.
	//  If it does fail then we instruct the script to Die and output some error code.
	$result = @mysqli_query( $con , $qry);
	if (!$result)
	{
		Die('0');
	}	
	
	//We can now fetch the data from the result
	$row = @mysqli_fetch_assoc($result);
	$max_top10 = $row['max_score'];
	$min_top10 = $row['min_score'];
	
	//Now we check to see if the player's score is in the top 10
	if ($score > $min_top10)
	{
		//If it is then we can simply insert it into the database.
		//  This works well because whenever we retrieve the top 10 it will be ordered
		//  and the new score will be included. The database will eventually have many scores
		//  outside of the top 10 and should be cleaned up at some point.
		//  Since this database is very small it may not need to be cleaned often.
		
		$newScore_qry = "INSERT INTO my_game (NAME,SCORE) VALUES('".$name."' , ".$score.")";
		$resultNewScore = @mysqli_query( $con , $newScore_qry);
		if (!$resultNewScore)
		{
			Die('0'); //something went wrong and the db wasn't updated
		}	
		else
		{
			echo '1'; //success!
		}
	}
	else
	{
		Die('-1'); 	//tell the player it isn't a high score :(	
	}
}
?>